Email Authentication SPF and DKIM help !!!

Status
Not open for further replies.

simon.evanz48

Member
Messages
32
Reaction score
0
Points
6
Hi,

I am in the process of setting up Google Apps for domain, mostly for there offerings of up to 50 extra email accounts plus a couple of features, etc..

I am having some problems trying to secure my domain from spammers and would like to know how to *properly* setup the Domain Keys Identified Mail (DKIM) standard on my addon domain.
which is:- wampbox.co.uk

My primary question is: How do I make my addon domain become the SOA on the x10hosting Servers. (or indeed if that is possible) as stated in the following error message:

The following is the cPanel warning I receive when I try to alter/save the SPF records:
In order to ensure that SPF or DKIM takes effect, you must confirm that this server is an authoritative nameserver for <mydomain>.elementfx.com. If you need help, contact your hosting provider.

Status: Enabled Warning: cPanel is unable to verify that this server is an authoritative nameserver for <mydomain>.elementfx.com.

in order to use my own domain name I have pointed it towards x10hosting name servers (ns1.x10hosting.com & ns2.x10hosting.com)

- This has been done and I am receiving traffic on my add-on domain. [OK]

Now I am left with the above error message in the SPF section of cPanel on my domain.
Can someone please shed some light on my situation and help point out what I may have done wrong, or indeed the steps required to setup DKIM for my addon domain.

FYI:


I have also followed the setup instruction during the DKIM setup stage from within Google Apps (for domains).

It recommended adding the following as a TXT record to my DNS zone for my addon domain to establish DKIM:

[KEY] google._domainkey
[TTL] 14400
[Value] "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADC<lots_more_chars_...>, etc, etc...."


During the setup phase of SPF I needed to retrieve the IP addresses of all Authorized email servers that will be allowed to send mail for my domain. As I am going to be using google Apps mail servers I was required to locate All the Additional Ip blocks for your domains (IP4) records which will be used to send mail for my domain.

I queried Google's SPF records to acquire the additional IPv4 address ranges so as to able to setup my own SPF TXT record based upon Googles mail servers:

The Additional IPv4 addresses have been added using the CIDR format. (as seen below)

So I done the following:-

> nslookup -q=TXT _netblocks.google.com 8.8.8.8


Reply

Server: google-public-dns-a.google.com
Address: 8.8.8.8

Non-authoritative answer:
_netblocks.google.com text =

"v=spf1 ip4:216.239.32.0/19 ip4:64.233.160.0/19 ip4:66.249.80.0/20 ip4:72.14.192.0/18 ip4:209.85.128.0/17 ip4:66.102.0.0/20 ip4:74.125.0.0/16 ip4:64.18.0.0/20 ip4:207.126.144.0/20 ip4:173.194.0.0/16 ?all"


Thanks
 

misson

Community Paragon
Community Support
Messages
2,572
Reaction score
72
Points
48
When you write "cpanel", are you refering to the X10 cPanel, or the Google Apps control panel? Unfortunately, Google decided to give its product the same name as the existing cPanel, Inc's one, so just "cpanel" is ambiguous. Since you're using the X10 name servers, you should be using the X10 cPanel when creating DNS records.

My primary question is: How do I make my addon domain become the SOA on the x10hosting Servers. (or indeed if that is possible) as stated in the following error message:
You can't and shouldn't do this, as the x10 name servers are already (and should be) set as the authoritative servers. The SOA record names the name server, not your domain.

$ dig +noall +answer wampbox.co.uk SOA
wampbox.co.uk. 42949 IN SOA ns1.x10hosting.com. support.x10hosting.com. 2012072620 86400 7200 3600000 86400

The following is the cPanel warning I receive when I try to alter/save the SPF records:
In order to ensure that SPF or DKIM takes effect, you must confirm that this server is an authoritative nameserver for <mydomain>.elementfx.com. If you need help, contact your hosting provider.

Status: Enabled Warning: cPanel is unable to verify that this server is an authoritative nameserver for <mydomain>.elementfx.com.
Note that you can use
tags to encase quoted text.

This looks like you're trying to set the SPF record on Google's cPanel, rather than on X10. Moreover, that the error references the elementfx.com domain conflicts with your statement that you're trying to set up the DKIM and SPF records for wampbox.co.uk. So, which domain are you trying to configure?

During the setup phase of SPF I needed to retrieve the IP addresses of all Authorized email servers that will be allowed to send mail for my domain.
You don't need to put the IP addresses in your SPF record. Instead, you can use the include directive:

Code:
include:_spf.google.com

One set-up that I often use is to create a "3rdparty._spf" subdomain record for all non-local servers, a "_spf" subdomain record for local servers, and then include those from the main SPF record:

Code:
wampbox.co.uk.			43200	IN	TXT	"v=spf1 include:_spf.wampbox.co.uk include:3rdparty._spf.wampbox.co.uk ~all"
3rdparty._spf.wampbox.co.uk	43200	IN	TXT	"v=spf1 include:_spf.google.com -all"
_spf.wampbox.co.uk.		43200	IN	TXT	"v=spf1 a:wampbox.co.uk -all"

It may not add much to your situation when it comes to administration, but when you've got a half-dozen servers in each category, it helps to keep them straight. It's also useful if your server ever sends mail on behalf of another: their SPF record can include your _spf subdomain.

As I am going to be using google Apps mail servers I was required to locate All the Additional Ip blocks for your domains (IP4) records which will be used to send mail for my domain.
I believe this refers to the addresses for non-Google servers.
 

simon.evanz48

Member
Messages
32
Reaction score
0
Points
6
Hi misson,

Firstly, thank you for your reply.

I hope now this all makes a bit of sense as trying to communicate technical information contextually can sometimes be a total nightmare and I hope that I did not repeat myself too many times nor come across as being patronising as this is not my intention.. So please bare with me as I step through and try to validate my thinking and possibly identify where I have gone wrong.

Oh, and thanks for sharing your tips on 3rdparty SPF records. I agree this technique will prove to be a real time saver on my brains thinking power in times to come, cheers.

With regards to not specifying which cPanel interface that I was referring to through each of my points, indeed I should have been more specific with regards to this. I am however referring to x10hosting cPanel as this is what I am using to configure my add-on domain. [wampbox.co.uk]

This looks like you're trying to set the SPF record on Google's cPanel, rather than on X10.

I am "Trying" to correctly setup SPF using x10 cPanel. I did however, use Google's cPanel to generate the DKIM value/Key pair which in turn, was then added to x10 cPanel as a TXT record.

I achieved this via "The Advanced DNS" section on x10 cPanel for the wampbox.co.uk domain name.

Moreover, that the error references the elementfx.com domain conflicts with your statement that you're trying to set up the DKIM and SPF records for wampbox.co.uk. So, which domain are you trying to configure?

The domain that I am currently setting up, and by this I mean, sorting out the DKIM & SPF record is for wampbox.co.uk.

(wampbox.co.uk was added as an add-on domain to my account. My x10 Free hosting account was originally setup with the primary domain of pure.elementfx.com <- this domain is not being used for anything relating to the wampbox.co.uk domain)

Question:

Do I need to setup the SPF and DKIM TXT records on the pure.elementfx.com domain as opposed to including the TXT records on the wampbox.co.uk domain. I only say this as pure.elementfx.com is the primary domain for my account even though I am only trying to send mail through and really use the wampbox.co.uk domain ?



** Stepping through the instructions **

- As explained in the instructions found on the Google Apps Control Panel > Gmail > Help Prevent Spoofing section setup page..

QUOTE..
Prevent spoofing by adding a digital signature

One way to prevent spoofing is to add a digital signature to outgoing message headers using the DKIM standard. This involves using a private domain key to encrypt your domain’s outgoing mail headers, and adding a public version of the key to the domain's DNS records. Recipient servers can then retrieve the public key to decrypt incoming headers and verify the message is from you. Learn more about DKIM

Go to the Advanced Tools tab in this control panel, scroll down to the Authenticate email section, and click Set up email authentication (DKIM).
Select the domain you want to generate a domain key for.
I selected the domain that I wanted to generate a domain key for. [domain: wampbox.co.uk] it says in the Google cPanel Status: Authenticating email
Click Generate new record.
Generate New Record: Nothing changed here, still using the originally generated DKIM key/value pair from when I started this process
Optionally update the text used as the DKIM selector prefix. (This is only necessary if you're creating keys for multiple domains—otherwise, leave the prefix set to google.)
Click Generate.
I continued to use default option for the DKIM selector prefix: value was google.com
Your control panel displays a Text record name and Text record value. Keep this information handy as you'll need it in an upcoming step to update your domain's DNS settings...
This key/value pair information that was provided was what I included as a TXT record under x10 cPanel for the wampbox.co.uk domain. (as above in previous post)

---

So, this is now where I am currently at with respect to setting up DKIM and SPF records.

NB.

I have also taken into account, and also given sufficient time to allow for full DNS propagation throughout the inet for all my settings. So this i believe is not an issue.

Thanks for any help or assistance

Simon
 

simon.evanz48

Member
Messages
32
Reaction score
0
Points
6
FIXED

It looks like there was an issue with the additional IP blocks that are allowed for my domain. As mentioned earlier, I provided all the IP's found under the _spf.google.com records. which I added to the additional (IP4) blocks section. As soon as I tweaked these settings (removed them all except for x10 server IP address) and followed your advise and setup 3rdparty._spf.wampbox.co.uk now it all looks ok.

No more errors

Will be monitoring the situation closely and validating my setup in due course.

But all looks ok.

Thanks for help
 
Status
Not open for further replies.
Top